One factor that people mention often with foaf+ssl is that the server has tohave his own certificate. This means registration with a CA which is costly andtedious and it does not really solve the problems of server authentication asDan Kaminsky shows ruthlessly in "Black Ops of PKI" http://bit.ly/4Uwb2K .

To summarise his talk, server security is in a double bind:

1- Dan Kaminsky's DNS poisoning attack which is very well explained by Rick VanRein's presentation "Cracking Internet: the urgency of DNSSEC" (http://bit.ly/2darr8 view with FFox > 3.5 as it uses ogg video) means that a DNSeasily be hacked in 6 weeks, and a lot of money poured into the wrong people'spockets. So there is a financial incentive to break DNS.

2. The solution of using https with X.509 public key cryptography's backingcannot work because there is a race to the bottom in the way CA's issuecertificates. For enough money it is not that difficult to become God and topretend you are anyone.

Given the above DNSsec has become urgent enough, that it is being deployed.

So listening to Dan Kaminsky you would think that he is against X509. Wellcertainly it could be improved a lot, but he is not quite as negative as one maythink. X.509 with DNSsec seems to be something he thinks can work.

What he told me after his CCC and HAR talks and what you can see in the last fewminutes of the HAR talk "X509 considered Harmful" http://bit.ly/2darr8 is thatonce DNS is secure one could put the X509 (self signed even) certs into the DNSrecords. This would bypass the need for CAs. [ I hope I understood him correctly]. I am not sure what needs to be done to make this possible with the browservendors, but it would massively improve security on the web.

As a result I have fait that the global situation on the internet will only makefoaf+ssl solutions easier and more secure to deploy, enabling a completelydistributed social network to emerge, free and without the spying, as EbenMoglen author of the GPL said so well recently http://bit.ly/brQmJz